Skip to main content

pretix CVE-2026-11764

| EUVDEUVD-2026-35407 LOW
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
2026-06-09 rami.io GHSA-m6hc-99rm-c9wc
3.6
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
3.6 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 14:51 vuln.today
Patch available
Jun 09, 2026 - 14:01 EUVD
CVSS changed
Jun 09, 2026 - 13:22 NVD
3.6 (LOW)
CVE Published
Jun 09, 2026 - 11:54 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

AnalysisAI

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.

Technical ContextAI

pretix is an open-source Django-based event ticketing platform (cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*) that supports reusable media including gift cards. The vulnerability stems from CWE-280 (Improper Handling of Insufficient Permissions or Privileges): the export codepath for reusable media serializes gift card records - including their full secret tokens - without applying the same permission-scoped data masking enforced by the UI and REST API. Both the UI and API correctly truncate gift card secrets to their first few characters for users lacking the gift card view permission; the bulk export function omits this check entirely, creating a privilege bypass through an alternate data access path. The inconsistency between export and API/UI data handling is the root technical failure.

RemediationAI

Upgrade to pretix 2026.5.1 or later; the fix version is inferred as 2026.5.1 based on the vendor advisory URL (https://pretix.eu/about/en/blog/20260609-release-2026-5-1/, dated 2026-06-09) and the patch is confirmed available from the vendor, though the exact patched version was not independently verified from advisory body text. As a compensating control prior to patching, restrict the reusable media export capability exclusively to users who already hold the gift card viewing permission - this eliminates the permission boundary inconsistency in practice. Trade-off: tightening export access may affect operational staff who use exports for non-gift-card media inventory. Additionally, audit existing exports generated by users without gift card permissions and treat any exposed secrets as compromised, issuing replacement gift cards where feasible.

More in Pretix

View all
CVE-2024-27447 CRITICAL
9.8 Feb 26

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2026-57532 HIGH
8.8 Jun 25

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript

CVE-2023-44464 HIGH
7.8 Sep 29

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen

CVE-2026-13602 HIGH
7.7 Jul 01

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin

CVE-2023-27891 HIGH
7.5 Mar 06

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS

CVE-2024-8113 HIGH
7.2 Aug 23

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag

CVE-2026-2451 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2415 MEDIUM
5.9 Feb 16

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information

CVE-2026-5600 MEDIUM
5.5 Apr 08

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ

CVE-2026-13225 MEDIUM
5.3 Jun 25

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit

CVE-2023-44463 MEDIUM
5.3 Oct 02

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl

Share

CVE-2026-11764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy